In this exercise, you will use the Security tab and icacls tool to get some hands-on practice with access control. You will begin by reviewing the current structure and permissions for the folders you will manipulating.
On the taskbar, click the File Explorer icon to open a File Explorer window.
In the File Explorer window, navigate to Local Disk (C:).
In the address bar, type cmd and press Enter to open a new command window on the root of the C:\ drive.
At the command prompt, type tree Hall_of_Justice /F and press Enter to see all the folders and files under the Hall_of_Justice folder.
At the command prompt, type tree Hall_of_Doom /F and press Enter to see all the folders and files under the Hall_of_Doom folder.
At the command prompt, type icacls Hall_of_Justice and press Enter to view the current permissions on the Hall_of_Justice folder. You should see that CREATOR OWNER, the SYSTEM account, the Administrators group, and the local cybrary user all have FULL access (F).
Note: In icacls notation, the (OI) and (CI) tell us that files and subfolders will inherit permissions. The (IO) means that those who create files and folders will inherit Full (F) access to the files and folders they create. Next, let's see what this ACL looks like in the Security tab of an object’s properties.
In the File Explorer window, right-click the Hall_of_Justice folder and select Properties from the context menu to open the Properties window.
In the Properties window, click the Security tab to view the security permissions for the Hall_of_Justice folder.
On the Security tab, select each user and take note of the permissions granted. Again we see that the SYSTEM account, the Administrators group, and the cybrary user all have FULL access (ALLOW Full Control). CREATOR OWNER has “Special permissions” - which means that its permissions are configured using advanced permissions. Leave the Hall_of_Justice Properties window open.
In the Command Prompt window, type icacls Hall_of_Justice /t and press Enter to see all permissions on all folders and files under Hall_of_Justice.
As nice as the Security tab is for viewing ACLs on a single object, it cannot show ACLs across all files and folders the way icacls can. On this server, there are two existing groups: Heroes and Villains. We want members of the Heroes group to have Modify access to all files and folders under the Hall_of_Justice folder. We want members of the Villains group to have Read and List Folder Contents access to all files and folders under Hall_of_Doom. Heroes can create new files and folders, while Villains can only read what others with more access make for them. Note: For a complete list of icacls permissions, see https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls.
In the Hall_of_Justice Properties window, click the Edit button to open the Permissions window.
In the Permissions window, click the Add… button to open the Select Users or Groups window.
In the Select Users or Groups window, type Heroes in the Enter the object names to select field and click Check Names, then click OK to add the Heroes group to the Hall_of_Justice folder.
In the Permissions window, select the Heroes group and click the Allow Modify checkbox in the Permissions section, then click OK to close the window.
In the Hall_of_Justice Properties window, select the Heroes group and verify the group has Modify access, then click OK to close the window.
In the Command Prompt window, type icacls Hall_of_Justice /t and press Enter to view the updated security permissions for the Hall_of_Justice folder. Notice that members of the Heroes Group have Modify (M) access to the Hall_of_Justice folder and have inherited (I) Modify access to all folders and files under Hall_of_Justice.
Repeat the process above for the Hall_of_Doom folder, adding the Villains group with Allow Read & Execute, List Folder Contents, and Read access, then verify the updated security permissions with icacls.
At the command prompt, type icacls Hall_of_Justice\Leadership and press Enter to see the permissions on the Leadership folder.
In the output above, notice that the Heroes group has Modify (M) permission on the Leadership folder and that this permission is inherited (I) from the Hall_of_Justice folder. Suppose the Justice League and the Legion of Doom want a place where their leaders can share and collaborate. They wish to use RBAC to grant access to this resource. There is already a group created for the role of a leader called Leaders, and only this group should have Allow Modify access to the Leadership folder and its contents.
At the command prompt, type net localgroup Leaders and press Enter to get the members of the Leaders group. Take note of the group members. Lex Luthor is a member of the Leaders group. If we simply grant the Leaders group Allow Modify permissions to the Leadership folder under the Hall_of_Justice folder, will Lex Luthor be able to modify files in the Leadership folder? Consider that Lex Luthor is not a member of the Heroes group; therefore, he has no permission granted on the parent folder (Hall_of_Justice). Let's test and see.
In the File Explorer window, open the Hall_of_Justice folder, then right-click the Leadership folder and select Properties.
Follow the same process as before to grant Allow Modify, Read & Execute, List Folder Contents, Read, and Write access to the Leaders group. When finished, leave the Leadership Properties window open.
In the Command Prompt window, use icacls to validate permissions on the Leadership folder. Notice that the Modify (M) permissions granted to Leaders are not inherited (I) from the parent.
In the Leadership Properties window, click the Advanced button to open the Advanced Security Settings window.
In the Advanced Security Settings window, click the Effective Access tab, then click the Select a user link to open the Select User or Group window.
In the Select User or Group window, type lex.luthor in the Enter the object names to select field and click Check Names, then click OK to add the lex.luthor user to the Effective Access view for the Leadership folder. As noted in the Advanced Security Settings window, Effective Access allows you to view the effective permissions for a user, group, or device account. Effective permissions are determined by calculating the user's complete permissions profile, including group permissions and permissions inherited from the parent object.
In the Advanced Security Settings window, click the View Effective Access button. Notice that Lex Luthor has many permissions to the Leadership folder and all its objects.
Close the Advanced Security Settings and Leadership Properties windows.
Repeat the process above to view Lex Luthor's effective access for the parent folder (Hall_of_Justice). Notice that Lex Luthor has no access to traverse the parent folder. As such, Lex has no path to any of the child objects, including the Leadership Folder.
We want leaders, including Lex, to have Modify access to the Leadership folder. One solution would be to grant Lex Luthor granular access (Traverse Folder) to the Hall_of_Justice parent folder. However, "solving" permissions issues in this way becomes problematic as new access requests lead to new pinholes in our access control model. Instead, we will move the Leadership folder and all its contents to Local Disk (C:). We will then change access permissions on the Leadership folder as needed.
Close the Advanced Security Settings and Hall_of_Justice Properties windows.
In the File Explorer window, navigate to the Hall_of_Justice folder, then right-click the Leadership folder and select Cut.
In the File Explorer window, navigate to Local Drive (C:) and, in any open space, right-click and select Paste to move the Leadership folder and its contents to Local Disk (C:).
Using icacls, check the current permissions on the Leadership folder.
Notice that the BUILTIN\Users group has inherited (I) permissions from the new parent container Local Disk (C:). As all users are part of the built-in Users group, this would grant unwanted access to all local users. We need to remove this unwanted access. You may also have notice that the Heroes group permission is gone. The Heroes group inherited permission from the Hall_of_Justice folder. Windows removed the Heroes group permission when the folder relocated to Local Drive (C:). The Leaders group permission, however, was explicitly granted and thus carried over in the move.
In the File Explorer window, right-click the Leadership folder and select Properties from the context menu to open the Properties window.
In the Leadership Properties window, click the Security tab to view the security permissions for the Leadership folder.
In the Properties window, click the Edit button to open the Permissions window.
In the Permissions window, select the Users group and click Remove. Take note of the error message shown. We will need to block inheritance on the Leadership folder before we can make permission changes to the Leadership folder. Click OK to close the error.
In the Permissions window, click Cancel.
In the Leadership Properties window, click the Advanced button.
In the Advanced Security Settings window, click the Disable inheritance button. When prompted, click Convert inherited permissions to explicit permissions on this object Note: When disabling inheritance, you must copy the existing rules or start with a clean slate. We want to copy the existing rules.
In the Advanced Security Settings window, click OK to apply your changes and close the window.
Repeat the process above to remove the Users group from the Leadership folder.
In the Command Prompt window, use icacls to validate permissions on the Leadership folder. Notice that all inherited permissions are gone along with the Users group. Members of the Leaders group have Allow Modify (M) access as before.
As you did earlier in this lab, use the Effective Access feature to check Lex Luthor's permissions for the Leadership folder (this should look as it did before).
Navigate to This PC, then use the Effective Access feature to check Lex Luthor's permissions for the Local Disk (C:). Notice that this time Lex Luthor has just enough permission on the parent object to access the child object (the Leadership folder). No access pinholes are required to get Lex to the Leadership folder. Congratulations! In this exercise, you learned a lot about Windows access control. You used the Security tab to configure group-level access and icacls to validate. You also learned how to view a user’s effective access to files and folders. Be sure to answer the questions on the Tasks tab, then proceed to the Challenge Exercise. Don’t worry - you now have all the skills you need.